Additional Materials:

Contact:

The U.S. military relies on the defense industrial base (DIB) to meet requirements to fulfill the National Military Strategy. The potential destruction, incapacitation, or exploitation of critical DIB assets by attack, crime, technological failure, natural disaster, or man-made catastrophe could jeopardize the success of U.S. military operations. GAO was asked to review the Department of Defense's (DOD) Defense Critical Infrastructure Program and has already reported that DOD has not developed a comprehensive management plan for its implementation. This, the second GAO report, has (1) determined the status of DOD's efforts to develop and implement a risk management approach to ensure the availability of DIB assets, and (2) identified challenges DOD faces in its approach to risk management. GAO analyzed plans, guidance, and other documents on identifying, prioritizing, and assessing critical domestic and foreign DIB assets and held discussions with DOD and contractor officials.

DOD has begun developing and implementing a risk management approach to ensure the availability of DIB assets needed to support mission-essential tasks, though implementation is still at an early stage. Its sector assurance and sector-specific plans focus on steps to identify a list of critical assets that, if damaged, would result in unacceptable consequences; prioritize those critical assets based on a risk assessment process; perform vulnerability assessments on high-priority critical assets, and encourage contractors' actions to remediate or mitigate adverse effects found during these assessments, as appropriate, to ensure continuity of business. The Defense Contract Management Agency, the executing agency for the DIB, has developed a process to identify the most important DIB assets and to narrow this list to those it considers critical. It has also developed an asset prioritization model for determining a criticality score and ranking critical assets, and it has established a standardized mission assurance vulnerability assessment process for critical DIB assets. DOD faces several key challenges in implementing its DIB risk management approach. Overall, DOD's methodology for identifying critical DIB assets is evolving, and DOD lacks targets and time frames for completing development of key program elements that are needed for its risk management approach. Without them, DOD cannot measure its progress toward ensuring that DIB assets supporting critical DOD missions are properly identified and prioritized. The specific challenges are as follows: First, DOD is not fully incorporating the military services' mission-essential task information (i.e., listings of assets whose damage, degradation, or destruction would result in DOD-wide mission failure) in compiling its critical asset list. Second, GAO's analysis of DOD's prioritization model shows that weighting factors were selected and data determined according to subjective decisions and limited review, and that needed contractor-specific data were lacking, as was comprehensive threat information, thus undermining the utility of the index score for prioritizing contractors. Without these comprehensive data and a reliable asset prioritization model, DOD will not be in a sound position to know that it has identified the most important and critical assets, as called for in the National Military Strategy. Third, with regard to scheduling and conducting assessments of critical DIB assets, DOD is currently doing so based on contractor amenability and security clearance status without regard for assets' priority rankings, and thus cannot ensure that the most critical DIB contractors are assessed. Fourth, DOD lacks a plan for developing options to work with the Department of State and other appropriate agencies to identify and address potential challenges in assessing vulnerabilities in foreign critical DIB assets. Until all these challenges are addressed, DOD will lack the visibility it needs over critical DIB asset vulnerabilities, will be unable to encourage critical DIB contractors to take needed remediation actions, and will be unable to make informed decisions regarding limited resources.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: DOD Instruction 3020.45 was issued on April 21, 2008, which states that the Chairman of the Joint Chief of Staff, as lead and in coordination with DOD components will submit a vulnerability assessment prioritized list, along with a timeline, to the Assistant Secretary of Defense.

Recommendation: To manage the complete development of the risk management approach to better ensure its effectiveness the Secretary of Defense should direct the ASD(HD&ASA) to develop a management framework that includes targets and time frames and undertakes the following steps to schedule and conduct vulnerability assessments on the critical DIB assets based on their respective rankings as validated in the asset prioritization model, to ensure that the most critical DIB assets are assessed in a timely manner and DOD maximizes its use of limited resources.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: DOD Instruction 3020.45 was issued on April 21, 2008, which states that DOD, where appropriate, will use existing DOD and non-DOD processes to ensure effective and efficient program execution. DCMA had previously stated it was open to further technical review of the asset prioritization model and commented that it will work with the Assistant Secretary of Defense to identify credible and capable subject matter experts to support this effort. DOD issued a strategy document in March 2008 which provides a plan to reach out to stakeholders to promote contractor response rates and data quality. DOD Instruction 3020.45 also states that DOD will coordinate with appropriate intelligence agencies, such as the Department of Homeland Security and the Federal Bureau of Investigation, to obtain threat and hazard information on critical assets.

Recommendation: To manage the complete development of the risk management approach to better ensure its effectiveness the Secretary of Defense should direct the ASD(HD&ASA) to develop a management framework that includes targets and time frames and undertakes the following steps to improve the reliability of its asset prioritization model by obtaining the appropriate external technical review; developing a detailed plan for improving response rate and data quality from DIB contractors in conducting its next capabilities survey, to ensure that DCMA obtains contractor-specific data needed for establishing priorities; and identifying and developing procedures for obtaining comprehensive threat information from the appropriate intelligence agencies, including DHS, the Federal Bureau of Investigation, and others to use as model inputs to prioritize DIB assets and conduct vulnerability assessments.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: DOD Instruction 3020.45 was issued on April 21, 2008, which formalized the process and procedures for developing a comprehensive list of critical defense industrial base assets. The instruction states that combatant commands and defense agencies will identify critical assets based on mission essential task information.

Recommendation: To manage the complete development of the risk management approach to better ensure its effectiveness the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD)(HD&ASA) to develop a management framework that includes targets and time frames and undertakes the following steps to obtain comprehensive data from all the combatant commands and services based on mission-essential task information, and incorporate these data with those set forth in the Defense Contract Management Agency (DCMA) guidance, to develop a comprehensive list of the critical DIB assets.

Agency Affected: Department of Defense

Status: Closed - Implemented

Comments: DOD issued its Strategy for Defense Critical Infrastructure in March 2008. To address potential challenges in addressing vulnerabilities of critical foreign contractors, the strategy document provides that DOD will coordinate with the Department of State and other Federal entities to ensure that relevant policy documents address DOD perspectives on protecting critical assets.

Recommendation: To manage the complete development of the risk management approach to better ensure its effectiveness the Secretary of Defense should direct the ASD(HD&ASA) to develop a management framework that includes targets and time frames and undertakes the following steps to prepare a plan to collaborate with the Department of State and other agencies, as appropriate, to develop options to identify and address potential challenges in assessing vulnerabilities of critical foreign contractors.